This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I create a statistic which side closes the most connections?

1

I'm analyzing a packet dump where a client is talking to a server via TCP/IP. Sometimes the connection gets closed by one of the two machines with the usual handshake (FIN/ACK, FIN/ACK, ACK). After that, the client immediately opens a new connection and the process repeats after a few packets were sent.

How do I create a statistic which side (client or server) initiated the most connection shutdowns?

asked 16 May '11, 06:50

grimmig's gravatar image

grimmig
21113
accept rate: 0%

Does the menu "Statistics > Conversations List > TCP" help you?

(16 May '11, 22:14) helloworld

No. It only shows that conversations happened and who started them, but not who closed them.

I think what I need is a filter that shows only first FIN packet in a conversation. Then I can simply run awk over the output and count the lines for each IP.

(19 May '11, 23:43) grimmig

One Answer:

1

I would pass all SYN/FIN/RST packets to a little perl (or awk) script that will keep a list of sessions that are created (SYN, no ACK), then when the first FIN or RST for that session comes, you can set a flag "closed-by-client" or "closed-by-server" for that session and once the while file is processed, you can create the statistics.

answered 20 May '11, 23:20

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%